[Solved] Account hacked?

[NikeJoshua]

Seems they replaced all instances of index.php with their own.

Can't connect to the FTP server to replace them either.

 

http://nikejoshua.heliohost.org/

[Wizard]

This support request is being escalated to our root admin.

[NikeJoshua]

Ftp access is back up, i replaced the index.php files in the subdirs to the correct ones, but left the one in public_html as is for reference purposes

[Byron]

Do you have any idea how they were able to get to your site? Does anybody else have your login information besides you? What kind of site are you running and do you have any vunerable scripts that might allow php injecton?

 

[Havoz]

Them Iranians got me too.. http://havoz.heliohost.org'

 

All I had was a simple guestbook looking thing I made in php, but I made sure to secure it all with htmlentites and real string escape with the database stuff.. Nothing more, why would they even bother..

[Byron]

but I made sure to secure it all with htmlentites and real string escape with the database stuff..

 

Did you use something like this for your forms?

 

$text = $_POST[text];
$text = str_replace("<?","",$text);
$text = str_replace("?>","",$text);

 

[NikeJoshua]

No one else knows my password.

I doubt that was the issue in any event as no other data was compromised.

SQL database was still intact, php files named other than index.php were still intact, no settings were changed, ...

 

There are data entry fields that get processed in php, but as Havoz, all used post variables are encased with

htmlspecialchars($var,ENT_QUOTES) or mysql_real_escape_string($var) where applicable...

 

 

[pooras]

My site hacked by a crazy group recently. I want to ask if it's possible to provide me attackers' IP and ANY other info about them, so I can figure out why am i attacked and find out who the Hackers were.

 

I deleted my whole files on the server and my databases to recover the site(didn't copy new files yet.)

 

My site was in Maintenance mode and I didn't announce it to anyone yet! it was a Wordpress 3.0.1 site.

 

my site: computech.heliohost.org

 

please help.

 

Oh mY God. The same Hackers of http://havoz.heliohost.org hacked my site. I just noticed Havoz' post.

 

ADMINISTRATOR: THEY ARE HACKING THIS SERVER. My site hacked by the same group that hacked Havoz. AND like him, I had nothing important in my site, it was just a start!.

 

THEY'RE HACKING for FUN............HEEEELLLLPPP

[Guest Geoff]

It is recommended in the support FAQ

 

It is recommended in the support FAQ that you back up your data. Also, it is not a real security concern to djbob as of this moment, because your account does not have admin priveledges on this server. Your login data probably just got intercepted while logging into cpanel.

 

[pooras]

I didn't say I want my files back. I do know the rules in Free web-Hosts.

 

I'm just trying to alert about a group of hackers that hacked some sites on this server. it's not about my logging infos, i'm saying they focused on Heliohost servers. so take care.

 

I LOVE Helio and want it to be best forever.

[rvt]

...Also, it is not a real security concern to djbob as of this moment, because your account does not have admin priveledges on this server...

 

In my opinion, it doesn't matter about account privileges. Privileges can be escalated with a little work on the attackers part and then it could be a major issue.

 

What could be more of a concern is if Google, Yahoo, and other website security sites decide to warn users that the heliohost.org domain is serving malware to visitors. That would severely hurt heliohost's ability to get new customers and keep their current customers.

 

[Ashoat]

So... I'm thinking it's pretty unlikely that they broke into the server. I figure they'd be hacking heliohost.org or helionet.org if they had access.

 

My guess is that you guys were all running the same software that had a bug in it. What CMS/forum/blog software were you guys all running?

[alteisenriese]

i thought i was the only one who got my site hacked, and yea i found a hack script from iranian coders in one of my folders. And they even could access my cpanel and using the SSL service to their website, i still remember the name is gauravjee.heliohost.org (please check this user account).

Maybe you guys should check every folder in your website, because i found so many shell codes in my site, if they really get the password from heliohost server thats really a big issue.

[Ashoat]

I checked your account and I can't find any shell scripts.

 

What is the "SSL service to their website"? How do you know they had access to your cPanel?

[alteisenriese]

I checked your account and I can't find any shell scripts.

 

What is the "SSL service to their website"? How do you know they had access to your cPanel?

Of course you can find any shell script, because i already deleted them. There are 2 websites that using my SSL but i forgot the first one its not heliohost website, the other one is gauravjee.heliohost.org. I know they can access my cpanel because i think using SSL can not be done through shell script and have to use cpanel to do it.